Fail-safe control apparatus



1966 E. c. THOMSON FAIL-SAFE CONTROL APPARATUS Filed Sept. 4, 1964United States Patent 3,288,195 FAIL-SAFE CONTROL APPARATUS Elihu C.Thomson, Wellesley, Mass., assiguor to Electronies Corporation ofAmerica, Cambridge, Mass., a corporation of Massachusetts Filed Sept. 4,1964, Ser. No. 394,472 17 Claims. (Cl. 158-28) The present inventionrelates to improved control apparatus and more particularly to conditionresponsive systems, such as those useful in supervising fuel burningsystems, and to means for insuring reliable operation of the sensory andsignal modifying portions of such systems. In condition responsivesystems of the type employed for the supervision of flame established ina combustion chamber, it is desirable that the supervising system reactvery quickly to the presence or absence of flame so that the fuel valvemay be closed quickly and prevent an excessive amount of unburned fuelfrom accumulating in the combustion chamber in the absence of flame.Flame sensing systems which have the desirable rapid response to thepresence or absence of flame are well known, but such systems aresusceptible to component malfunction and may cause the flame detectingsystem to falsely indicate the presence of flame. Should such amalfunction occur in a system supervising flame in a combustion chamber,an unsafe condition might arise as the system, in the event of flamefailure, would continue to react as if flame was present and permit thecontinued introduction of raw fuel into the furnace chamber. Theaccumulated raw fuel could be ignited explosively, either by the hotrefractory or upon an attempt to reignite the burner, for example, withdisastrous results.

Industry standards specify that approved combustion control systems mustoperate with a maximum time delay of four seconds between flame failureand shutdown of the fuel flow to the supervised combustion chamber.Component checking arrangements which check the operability of thesystem by simulating flame failure therefore must complete their cyclethrough flame relay dropout and flame relay pickup within that time.

Accordingly, it is an object of this invention to provide an improvedcondition sensing system incorporating component checking arrangementswhereby the operation of the condition sensing system is regularlychecked to insure that the system is not falsely indicating the presenceof the condition to be sensed.

A more general object of the invention is to provide a novel andimproved control circuit of the fail-safe type which responds to twosignals that alternate in time.

Another object of the invention is to provide a novel and improvedfail-safe control system particularly useful with flame sensors.

Another object of the invention is to provide novel and improved controlapparatus for use with condition responsive systems which incorporatemeans to periodically simulate the absence of the condition being sensedand means to check the continued operation of the condition absencesimulator.

Another object of the invention is to provide novel and improved loadcontrol means in condition respon sive systems.

A further object of the invention is to provide a novel comprehensivecondition responsive system in which load energization is responsive toboth the condition sensing circuitry and to the checking circuitry andprovides improved self-checking operation.

Still another object of the invention is to provide a novel and improvedcombustion supervision system of the self-checking type.

In accordance with the invention there is provided a control circuitarrangementfor energizing a load in- "ice cluding a power source for theload and coupling circuitry for coupling power from the power source tothe load while performing an isolating function so that the load is notdirectly energized from the power source. This coupling circuitryincludes two energy storage devices and an input control having twostates. The input control is adapted to operate in response to twosignals which alternate in time. Those signals may be independent of oneanother or may represent the presence and absence of a condition, forexample. The input control in a first state provides a first energytransfer loop between the power source and one storage device and asecond energy transfer loop between the one storage device and the loadand a fourth energy transfer loop between the source and the otherstorage device. The two states of the input control are exclusive of oneanother so that in each state two different energy transfer loops areestablishedone including the source and the other, the load. The loadthus is energized from two energy storage devices and responds to eachdevice directly and independently of the other device.

In the preferred embodiments of the invention, the load device isenergized from a direct current source and is shunted by twoasymmetrical devices having alternate high and low impedance conditionsas a function of the polarity of electrical signals applied to them.These asymmetrical devices are connected in series and poled to permitcurrent flow through them from the source. Connected between each sourceterminal and theload (and a corresponding asymmetrical device),however,-is an energy storage capacitor which blocks energization of theload directly from the source. A charging loop for each capacitor iscontrolled by an input control means having two alternate states. Theinput control means in a first state provides a low impedance path tocomplete a. charging circuit for one capacitor and presents a highimpedance (open circuit) path in the charging circuit for the secondcapacitor. The control means, in each state, simultaneously completes anenergizing loop through the load that includes the capacitor then notconnected to the source. Through alternation of the input control means,the load is kept energized. In the preferred embodiment the inputcontrol is responsive to flame in a combustion chamber, and periodicflame failure simulation causes the input control to alternate. Thecircuit parameters and the cycle of the input control means are selectedso that the duration of the discharge cycle of each capacitor is greaterthan the duration of that portion of the cycle of the input controlmeans other than the portion required for fully charging the othercapacitor.

Other objects, features and advantages of the inven tion will be seen asthe following description of preferred embodiments thereof progresses,in conjunction with the drawing, in which:

FIG. 1 is a diagram of a combusition control system incorporatingapparatus constructed in accordance with the invention;

FIG. 2 is a schematic diagram of a second embodiment of circuitryconstructed in accordance with the invention; and v FIG. 3 is stillanother embodiment of checking circuitry constructed in accordance withthe invention.

With reference to FIG. 1 there is shown a combustion chamber 10 having amain fuel line 12 and nozzle 14 eX-' tending thereinto. The flow of fuelthrough line 12 is controlled by solenoid operated valve 16, and fuelflowing into the combustion chamber is ignited to produce flame 18.

The flame in the combustion chamber is sensed by suitable sensingcircuitry including a sensor 20 which may be an infrared or ultravioletradiation sensor, a flame rod or other flame sensing device well knownin the art. (A

pilot flame may be initially established or manual start button 35, inparallel with contacts 34, may temporarily energize fuel valve 16.) Theoutput signal from the sensor 20 may be applied through suitable signalmodifying and/ or amplifying circuitry 22 to operate flame relay 24.That flame relay controls a movable contact member 26 for motion betweena first fixed contact 28 and a second fixed contact 30, contact 28 beingthe normally closed contact and contact 30 being the normally opencontact. When the sensor 20 senses the flame and the circuitry isoperating properly, the flame relay 24 is energized to move member 26,and open the circuit to the normally closed contact 28, while closingthe circuit to the normally open contact 30. (Relay 24, of course, maybe actuated conversely, that is, de-energized in the response to flameand energized upon flame failure.)

The flame relay controls a load device diagrammatically indicated as aload relay 32 which operates a set of contacts 34 that are connected incircuit to control the solenoid operated fuel valve 16 such that, if theflame 18 in the combustion chamber is extinguished after it has beenestablished therein, the load relay 32 will be de-energized and opencontacts 34 to close the valve 16 and prevent the flow of raw fuel intothe combustion chamber.

The circuitry connected between the flame relay 24 and the load relay 32constitutes a fail-safe rectifier circuit and operates as aself-checking system in conjunction with a cycling device which isillustrated as a shutter 36 driven in rotation by motor 38. The shutterhas a sector of predetermined angular length which is interposedperiodically between the sensor 20 and the flame 18 to block the sensorsview of the flame and thus simulate a flame failure condition. Otherdevices capable of causing the circuitry to respond periodically as if aflame absence existed may also be employed. The cycle of openation ofthe simulator device is of predetermined duration so that this checkingoperation occurs at regular intervals.

The checking circuitry includes a source 40 of direct current energyconnected to terminals 41, 42 of polarity as indicated. The positiveterminal 41 is connected to contact 28 and to one terminal of capacitor44, and the negative terminal 42 is connected to contact 30 and oneterminal of capacitor 46. Connected to the other terminal of capacitor44 is an asymmetrical device in the form of diode 48 and one terminal ofthe load relay 32. Connected to the other terminal of capacitor 46 is asecond asymmetrical device in the form of diode 50 and the otherterminal of load relay 32. The two diodes 48, 50 are connected in seriesand their junction 52 is connected directly to the movable contactelement 26 of flame relay 24.

The circuitry is shown in position resulting when flame relay 24 isde-energized. In this condition a capacitor charging path is providedfrom terminal 41 through contact 28 and diode 50 to charge capacitor 46to the full supply voltage with polarity as indicated. Capacitor 44 isfully discharged, and therefore there is no potential across thesolenoid coil of load relay 32 and, therefore, no current flow throughthat relay.

When the sensor 20 secs flame, relay 24 is energized to move member 26from engagement with contact 28 to engagement with contact 30. Thisoperation opens the charging path for capacitor 46 and completes acharging path for capacitor 44 from terminal 41 through capacitor 44,diode 48, and contact 30 to terminal 42. This is a low impedance pathand capacitor 44 is rapidly charged to the full potential connectedacross terminals 41, 42. At the same time a discharge path for capacitor46 is completed, which discharge path includes the load relay 32. Thatdischarge path is from the positive terminal of capacitor 46 throughload relay 32, diode 48 and contact 30, the potential across diode 50due to charge on capacitor 46 being such that it is not conductive. Theresulting current flow energizes the relay 32 and closes contacts 34 toenergize the main fuel supply valve 16. The parameters of the circuitare adjusted so that the discharge time of capacitor 46 through thispath is of longer duration than the radiation transmitting portion ofthe cycle of shutter 36.

Within that discharge time, therefore, the shutter 36 is caused to beinterposed between flame 18 and sensor 20 and causes the flame relay 24to bede-energized, opening the circuit at contact 30 and closing thecircuit at contact 28. During the transition interval between contacts30 and 28, the two capacitors are connected in series across the sourcethrough load 32. Capacitor 44, however, is charged to full supplyvoltage and capacitor 46 is partially charged to a potential of additivepolarity so that the total capacitor voltage exceeds the supply voltage,and current flow continues through relay 32 in the direction to maintainthe relay contacts 34 closed. It is desirable that the transit time ofthe member 26 between contacts 28 and 30 be as small as possible, asboth capacitors during this transient are discharging simultaneously.However, the circuit design can accommodate transit times that arenecessary for desired circuit operation.

With the contacts 28 and 26 in engagement, a discharge path forcapacitor 44 is completed from the positive terminal of capacitor 44through contact 28, diode 50 and the load relay 32 to the negativeterminal of capacitor 44. This path maintains the load relay 32energized. At the same time the charging path for capacitor 46 is againcompleted from terminal 41 through contact 28, diode 50 and capacitor 46to terminal 42. Thus, capacitor 46 is recharged to supply potential, andduring this interval the relay 32 is held energized by capacitor 44.

The circuitry continues to alternate in response to the flame relay, ascontrolled by shutter 36, to alternately charge capacitors 44 and 46,each capacitor having a charging path independent of the load relay 32and a discharge path through the load relay independent of the source40, each path including contacts of the flame relay. Should the flame 18become extinguished or sensor circuitry fail, for any reason, toindicate flame during the open shutter period, the relay 24 will bede-energized and the load relay 32 will drop out in the time constant ofthe discharge circuit for capacitor 44 (a typical value being threeseconds). When relay 32 drops out, contacts 34 open and de-energizevalve 16 to terminate the flow of fuel into the combustion chamber 10.

Should any other component of the circuitry fail, the load relay 32 willsimilarly be de-energized within a predetermined time to open contacts34, shutting down the supervising system in safe condition. For example,should a circuit component fail so that the relay 24 remains inenergized position, the charge on capacitor 46 will not be replenishedand the load relay will be de-ener gized within a predetermined time.(It will be noted that the time constant parameters of the dischargecircuits of capacitors 44 and 46 need not be equal. The use of a longertime constant in the discharge circuit of capacitor 46 than of capacitor44 enables the checking cycle time to be increased.) Similarly shouldthe circuit fail so that the contact member 26 of flame relay is not inengagement with either contacts 28 or 30, both the capacitors will bedischarging at the same time, and as soon as the total sum of theircharges is equal to the supply potential, the relay will bede-energized, shutting down the system in safe condition.

Similarly, should either capacitor 44 or 46 become defective, either inshort-circuit condition, open-circuit condition, or increased leakage,the relay 32 will be deenergized. In the case of their increasedleakage, the discharge time of the capacitor discharge circuit isdecreased, and when it becomes less than the cycle time of the simulatorshutter 36, the system will be shut down in safe condition. Likewise, ifthe capacitor shorts, the short will be placed directly across the linethrough the diode when the capacitor is directly connected and a fuse orother protective component will blow. If either diode 48 or 50 becomesopen-circuited, the capacitor to which it is connected will have nocharging path; while if a diode shorts, it will shunt the currentthrough the load relay 32 and that relay will drop out. Diode leakagewill have an effect similar to capacitor leakage.

, A modified embodiment is shown in FIG. 2 in which similar componentsare provided: flame relay 24 having fixed contacts 28, 30 and movableelement 26', capacitors 44' and 46, diodes 48' and 50. The load relay32', however, is divided into two sections 60, 62, and a center tap 64between the two sections is connected to the junction 52 between the twodiodes 48' and 50. The load relay 32' may be energized by currentthrough either section 60 or 62, as these two sections constituteseparate electrical loads but the magnetic flux generated by eithersection is common to both coils.

With the flame relay in de-energized condition, a

capacitor discharge path for capacitor 44' is provided through contact28', junctions 52' and 64, coil section 60 and resistor 66. With theflame relay 24' in energized condition, the discharge path of capacitor46' is completed through relay coil section 62, junctions 64 and 52' andrelay contact As these two discharge circuits are independent,resistance may be introduced in one of the circuits (as at 66) toprovide greater control over the discharge time of one of the capacitordischarge circuits. It will be noted that the capacitors are charged inthe same manner as the embodiment shown in FIG. 1, and the load relayand resistor 66 are not conv the transient charging current of capacitor44" plus the continuous current drawn through resistor 78.

When the transistor 70 is switched to its ofl condition, the chargingpath for capacitor 44" will be opened, but capacitor 46" will be chargedthrough the path from terminal 41", resistor 78, diode 50", to terminal42". In this circuit the discharge path of capacitor 44" includes theresistor 78, and therefore the value of resistance 78 must be muchsmaller than the resistance value of load relay 32". Also, the voltagedrop in resistor 78 will reduce the voltage to which capacitor 46" canbe charged. However, the necessary circuit parameters can be taken intoaccount in the design of this circuitry. Transistor 70 may obviously bereplaced by a single pole, single throw switch or relay. Also, eithertransistor 70 or resistor 78, or both, may be replaced by lightdependent resistors which are operated by periodic illumination.

While several embodiments of the invention have been shown anddescribed, still additional constructions of the invention will beobvious to those skilled in the art, and therefore it is not intendedthat the invention be limited to the disclosed embodiments or to detailsthereof, and departures may be made therefrom within the spirit andscope of the invention as defined in the claims.

What is claimed is:

1. A fail-safe circuit comprising a load,

a power source for energizing said load,

coupling circuitry for coupling power from said source to said loadincluding two energy storage devices, first circuit means to provide afirst energy transfer loop between said source and one energy storagedevice independent of said load and a second energy transfer loopbetween the second energy storage device and said load independent ofsaid source,

second circuit means to provide a third energy transfer loop betweensaid source and said second energy storage device independent of saidload and a fourth energy transfer loop between said one energy storagedevice and said load independent of said source,

and means to alternately complete said first and second circuit meansfor transferring energy from said source through said energy storagedevices to said load.

2. A fail-safe circuit comprising a load,

power supply means for energizing said load,

coupling circuitry connected between said power supply means and saidload including two energy storage devices,

two asymmetrically conductive devices, and

input control means having two states,

said input control means when in a first state providing an energycoupling path for the first energy storage device from said sourcethrough a first asymmetrically conductive device and an energy couplingpath for the second energy storage device through said load,

and when in a second state providing a coupling path for the secondenergy storage device from said source through the second asymmetricallyconductive device and an energy coupling path for the first energystorage device through said load, and

means to alternate said input control means between said two states in acycle of predetermined duration.

3. A fail-safe circuit comprising an energy source,

a load,

two energy storage devices,

two asymmetrically conductive devices connected in series with oneanother and in parallel with said load,

means connecting each said asymmetrically conductive device in circuitto provide a first energy transfer loop between said source and oneenergy storage device independent of said load and a second energytransfer loop between the other energy storage device and said loadindependently of said source,

and input control means connected in said loops for controlling thetransfer of energy through said loops between said source and said load.

4. A fail-safe circuit comprising a load,

direct current power supply means for energizing said load,

coupling circuitry connected between said power supply means and saidload including two capacitors,

two asymmetrically conductive devices, and

input control means having two states,

said input control means when in a first state providing a charging pathfor the first capacitor from said source through a first asymmetricallyconductive device and a discharge path for the second capacitor throughsaid load,

and when in a second state providing a charging path for the secondcapacitor from said source through the second asymmetrically conductivedevice and a discharge path for the first capacitor through said load,and

means to alternate said input control means between said two states in acycle of predetermined duration.

5. A fail-safe circuit comprising a load having two 5 terminals,

direct current power supply means having two terminals for energizingsaid load,

coupling circuitry connected between said power supply and said loadincluding two capacitors,

means connecting one capacitor between the terminal of said supply andone terminal of said load and the other capacitor between the secondterminal of said supply and the second terminal of said load,

first circuit means to connect said one terminal of said supply to saidsecond terminal of said load,

second circuit means to connect said second terminal of said supply tosaid one terminal of said load,

and means to alternatively complete said first and second circuit meansfor transferring energy from said source through said capacitors toenergize said load.

6. A fail-safe circuit comprising a load having two terminals,

direct current power supply means having two terminals for energizingsaid load,

coupling circuitry connected between said power supply and said loadincluding two capacitors,

two asymmetrically conductive devices,

means connecting said asymmetrically conductive devices across said loadand in series with one another so that a junction is defined betweenthem,

means connecting one capacitor between one terminal of said supply andone terminal of said load and the other capacitor between the secondterminal of said supply and the second terminal of said load,

circuit means to connect said junction betwen said two asymmetricallyconductive devices to the two terminals of said supply, and

means to periodically reverse the flow of energy through said circuitmeans for transferring energy from said supply through said capacitorsto energize said load.

7. The circuit as claimed in claim 6 wherein said energy flow reversingmeans includes a relay having a normally open contact element connectedto one of said supply terminals and a normally closed contact elementconnected to the other of said supply terminals.

8. The circuit as claimed in claim 6 wherein said load is anelectromagnetic device having two electrical sections and a commonmagnetic section and further including a resistance element connected inseries circuit between one of said electrical sections and one of saidcapacitors.

9. The circuit as claimed in claim 8 wherein said energy flow reversingmeans includes a control device having an output circuit and a controlelectrode for controlling current flow through said output circuit andmeans connecting the output circuit of said control device across saidpower supply.

10. A condition sensing system comprising a condition sensor adapted toproduce an output as a function of a first sensed condition,

means to periodically modify said sensor output to simulate the sensingof a second condition,

a load adapted to provide an indication of the condition as sensed bysaid sensor,

a power source for energizing said load,

coupling circuitry for coupling power from said source to said loadincluding two energy storage devices,

a first circuit means to provide a first energy transfer loop betweensaid source and one energy storage device independent of said load and asecond energy transfer loop between the second energy storage device andsaid load independent of said source,

second circuit means to provide a third energy transfer loop betweensaid source and said second energy storage device independent of saidload and a fourth energy transfer loop between said one energy storagedevice and said load independent of said source,

and means to complete said first circuit means in response to a sensoroutput representative of said first sensed condition and to completesecond circuit means in response to an output representative of saidsecond sensed condition for transferring energy from said source throughsaid energy storage devices to said load.

11. The system as claimed in claim 10 wherein each said energy storagedevice is a capacitor and each said capacitor is connected in seriesbetween one terminal of said power source and one terminal of said load.

12. The system as claimed in claim 11 wherein said circuit completingmeans includes a relay responsive to the output of said condition sensorand having a normally open contact element in one of said circuit meansand a normally closed contact element in the other of said circuitmeans.

13. The system as claimed in claim 11 wherein said circuit completingmeans includes a control device having an output circuit and a controlelectrode for controlling current flow through said output circuit andmeans connecting the output circuit of said control device across saidpower source.

14. The system as claimed in claim 11 wherein said load is anelectromagnetic device having two electrical sections and a commonmagnetic section and further including a resistance element connected inseries circuit between one of said electrical sections and one of saidenergy storage devices.

15. A combustion supervision system for supervising flame in acombustion chamber comprising fuel control means,

a flame sensor,

signal modifying means coupled to said flame sensor to provide an outputsignal indicative of the presence of flame in the supervised combustionchamber,

means cooperating with said flame sensor and signal modifying circuitryto periodically simulate a flame absence,

a load having two terminals,

direct current power supply means having two terminals for energizingsaid load,

coupling circuitry connected between said power supply and said loadincluding two capacitors,

two asymmetrically conductive devices,

means connecting said asymmetrically conductive devices across said loadand in series with one another so that a junction is defined betweenthem,

means connecting one energy storage device between one terminal of saidsupply and one terminal of said load and the other energy storage devicebetween the second terminal of said supply and the second terminal ofsaid load,

circuit means to connect said junction between said two asymmetricallyconductive devices to the two terminals of said supply, means toperiodically reverse the flow of energy through said circuit means fortransferring energy from said supply through said capacitors to energizesaid load,

and means responsive to the energization of said load to operate saidfuel control means for controlling the flow of fuel to said combustionchamber as a function of flame sensed by said sensor.

16. The system as claimed in claim 15 wherein said energy flow reversingmeans includes a relay responsive to the output of said flame sensor andhaving a normally open contact element connected to one of said supplyterminals and a normally closed contact element connected to the otherof said supply terminals.

17. The'system as claimed in claim 16 wherein said load is anelectromagnetic device having two electrical sections and a commonmagnetic section and further including a resistance element connected inseries circuit between one of said electrical sections and one of saidcapacitors.

References Cited by the Examiner UNITED STATES PATENTS 2,798,213 7/1957Rowell.

2,824,265 2/1958 Seeger 317-151 2,825,012 2/1958 Consoliver et a1. l58283,146,822 9/1964 Ray l58-28 JAMES W. WESTHAVER, Primary Examiner.

1. A FAIL-SAFE CIRCUIT COMPRISING A LOAD, A POWER SOURCE FOR ENERGIZINGSAID LOAD, COUPLING CIRCUITRY FOR COUPLING POWER FROM SAID SOURCE TOSAID LOAD INCLUDING TWO ENERGY STORAGE DEVICES, FIRST CIRCUIT MEANS TOPROVIDE A FIRST ENERGY TRANSFER LOOP BETWEEN SAID SOURCE AND ONE ENERGYSTORAGE DEVICE INDEPENDENT OF SAID LOAD AND A SECOND ENERGY TRANSFERLOOP BETWEEN THE SECOND ENERGY STORAGE DEVICE AND SAID LOAD INDEPENDENTOF SAID SOURCE, SECOND CIRCUIT MEANS TO PROVIDE A THIRD ENERGY TRANSFERLOOP BETWEEN SAID SOURCE AND SAID SECOND ENERGY STORAGE DEVICEINDEPENDENT OF SAID LOAD AND A FOURTH ENERGY TRANSFER LOOP BETWEEN SAIDONE ENERGY STORAGE DEVICE AND SAID LOAD INDEPENDENT OF SAID SOURCE, ANDMEANS TO ALTERNATELY COMPLETE SAID FIRST AND SECOND CIRUIT MEANS FORTRANSFERRING ENERGY FROM SAID SOURCE THROUGH SAID ENERGY STORAGE DEVICESTO SAID LOAD.